Service-oriented organizations may need to meet a wide variety of compliance requirements depending on their industry. For example, the American Institute of CPAs (AICPA) has a compliance framework that they call SOC 2 which is designed to create “Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.”
What is SOC 2? What are the major SOC 2 compliance requirements that service organizations should know about? How can you make sure your macOS devices meet these requirements?
To help answer these SOC compliance questions, here is a short breakdown of the AICPA’s SOC 2 certification framework:
What is SOC 2?
According to the AICPA website, SOC stands for “System and Organization Controls.” The SOC for Service Organizations AICPA page describes SOC 2 as reports that are:
“intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
As this excerpt implies, there are five major “trust service principles” that are inherent to SOC 2 compliance requirements:
- Processing Integrity
SOC 2 compliance reports come in two different types:
- Type 1 Reports. These are reports “on management’s description of a service organization’s system and the suitability of the design of controls.”
- Type 2 Reports. These are reports “on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.”
While both reports are based on “management descriptions,” the definition of a Type 2 report goes a little more in depth to assess effectiveness of security and privacy controls.
What Are the Major Requirements of SOC 2 Compliance?
To comply with SOC 2, service organizations need to apply controls that meet the five trust service principles of SOC—privacy, security, confidentiality, availability, and processing integrity. However, the assessment criteria for controls may be customized based on the organization’s specific services and business practices. This can make it difficult to make a one-size-fits-all SOC 2 compliance checklist.
While the requirements for SOC 2 compliance aren’t as rigid as some other compliance standards, there are some security controls and network elements that are common in SOC-compliant organizations:
- Multifactor Authentication. User access control systems that require two or more forms of identity verification are a common means of ensuring strong privacy and security. Instead of simply relying on a username/password combination, multifactor authentication (MFA) requires a combination of two or more of: Something the user knows (such as a password or security question answer), something the user has (such as a USB key or a specific access device), and/or something the user is (biometric identification such as a fingerprint or voice recognition). MFA provides much stronger security and data privacy by making it so that malicious actors cannot simply guess or steal a password to access data.
- Disaster Recovery/Business Continuity. A disaster recovery (DR) or business continuity (BC) solution is crucial for ensuring the availability of data and services following a catastrophic data loss event such as a ransomware attack or an outage at the service organization’s primary data center. By backing up data and creating system redundancy for emergencies, organizations can minimize the risk and impact of service and data loss events.
- Internal Quality Assurance Processes. Quality assurance processes help organizations meet the “processing integrity” trust service principle portion of SOC 2 compliance—but that’s not the only benefit of QA monitoring. Having a quality assurance process for checking the service organization’s network components and workflows helps the organization identify opportunities for improvement before they can become impediments to network stability or customer satisfaction.
- Firewalls at Network and Application Levels. That every organization should have a firewall solution to filter incoming network traffic is a well-known fact. However, it takes more than just a perimeter network firewall to provide optimal protection and satisfy SOC 2 compliance requirements. Having both network and application-level firewalls increases data confidentiality by segmenting the network so “lateral movement” is impeded. This, in turn, makes it harder for attackers to access multiple systems on the network—which helps meet SOC 2 security requirements.
- Data Encryption. Every business should use data encryption to help improve data privacy/confidentiality. While encryption does not stop attacks on the network, it does keep attackers from being able to interpret and leverage sensitive data right away. The longer it takes for attackers to break the encryption, the more time service organizations have to notify customers of the breach and take the appropriate steps to prevent fraud.
Meeting SOC 2 Compliance on macOS Devices
To ensure that the macOS devices on your own organization’s network are SOC 2 compliant, it is important to use a security configuration solution. A codeless Mac security configuration tool can help to ensure the application and enforcement of SOC 2-compliant security policies and settings on macOS devices.
For example, setting macOS devices to require the use of multifactor authentication, data encryption, and device-level firewalls can all help to enhance data privacy, security, and confidentiality. Having a centralized dashboard for monitoring macOS device status helps ensure that all devices are using the right security settings as well as helping with quality assurance checks.
Curious about how SOC 2 and other regulatory compliance requirements affect your macOS devices? Subscribe to the Kandji blog to learn more about compliance for Macs!